Have all the Breaches Breached the Public Trust

You do not have to look far to see examples of data breaches where data on the Internet is exfiltrated. Just last week Under Armour admitted to a large attack and as I am writing this, details are coming out about an attack on Saks Fifth Avenue, Lord & Taylor stores. And who can forget the Equifax breach?  

If you are reading this blog, you probably work with data.  You probably are working with data that people trust you to secure. For example data like names, addresses, phone numbers, credit cards, social security numbers, health data, and more.  My hope would be that you take efforts to do this responsibly. Not everyone does.  

Here is the bigger challenge, even if you are taking precautions to manage data securely it might not be enough. There are many ways that bad actors enter networks or intercept data in order to access data that they do not have the rights to access. In this blog, I am not going to write about how to secure a network or a database. I want to write about if it is time for the government to regulate our use of personal data similar to the way it is being done in Europe, and how this affects the readers of this blog post. 

Trust IconI think we can all agree, that unless someones lives in the woods, without power or running water, it is impossible not to share your personal information with companies. This to me means that we have to accept that sharing data with companies is inevitable and therefore companies need to be bound to taking responsible care of personal data.   

A clear definition of personal information needs to be made. We need a reasonable standard of what personal information is and how a person can give permission to share that information.  For example, are both my first and last name private in all cases?  This is a very large task and one that needs to involve industry, consumer groups, the government, and very importantly IT experts.

We can look to European Union's General Data Protection Regulation but it would be a mistake to copy it outright.  We need something that fits the United States and what makes sense for the United States.   

States are considering action and we do not want this to happen on a state level. Imagine if an e-commerce store had to have different data storage standards for each state. You might even have to have multiple websites.  New Mexico could say that the data for residents of New Mexico must reside in the State.  

As a consumer who wants to know that there are standards for how my data is being protected a set of laws is important to me. As a business owner, I know that standards like these can be expensive to implement but are generally important.  As an IT expert, I know that change is a constant and I offer up any help I can be in crafting legislation on how we keep the personal data of US citizens safe.  

My idea to write this blog comes from the guest blog on VentureBeat by  Derek Weeks titled It’s time to regulate: The U.S. must make software companies liable for breaches

The opinions expressed in this blog are just that.  They are based on research and not with additional knowledge of any forthcoming laws in Colorado, the United States or other parts of the world.   I am not an attorney either so add a couple grains of salt for that as well.